The Apache Struts group is pleased to announce that the Apache Struts 2 Secure Jakarta Multipart parser plugin and Apache Struts 2 Secure Jakarta Stream Multipart parser plugin are available as a “General Availability” release. The GA designation is our highest quality grade.
These releases address one critical security vulnerability: - Possible Remote Code Execution when performing file upload based on Jakarta Multipart parser S2-045, S2-046 (CVE-2017-5638) http://struts.apache.org/docs/s2-045.html http://struts.apache.org/docs/s2-046.html Those plugins were released to allow users running older versions of the Apache Struts secure their applications in easy way. You don’t have to migrate to the latest version (which is still preferable) but by applying one of those plugins, your application won’t be vulnerable anymore. It is a drop-in installation, just select a proper jar file and copy it to WEB-INF/lib folder. Please read the README (https://github.com/apache/struts-extras) for more details and supported Apache Struts versions. All developers are strongly advised to perform this action. Should any issues arise with your use of any version of the Struts framework, please post your comments to the user list, and, if appropriate, file a tracking ticket. You can download those plugins from our download page. http://struts.apache.org/download.cgi#struts-extras Kind regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/ --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
